53

While setting up a sudo environment I noticed that the include directive is prefixed with the pound (#) character.

Solaris shows this as:

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

The manual (Linux as well as Solaris) states:

Including other files from within sudoers It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives.

And:

Other special characters and reserved words The pound sign (`#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more digits, in which case it is treated as a uid). Both the comment character and any text after it, up to the end of the line, are ignored.

Does anybody knows why the choice was made to use the pound character in the #include and #includedir directives?

As a side note: I often use something like egrep -v '^#|^$' configfile to get the non-default/active configured settings, and this obviously does not work for the sudoers file.

Lambert
  • 12,680
  • Also known as an Octothorpe. – nick fox Feb 18 '22 at 15:18
  • 1
    I once regard #includedir /etc/sudoers.d as a comment and remove it, making me nearly can't use "sudo" command. Similar things: modeline for vim. Any relationship among them? – Good Pen Apr 04 '22 at 14:45

2 Answers2

48

#include was added in 2004. It had to be compatible with what was already there. I don't think include /path/to/file would have been ambiguous, though, but it might have been a little harder to parse, because the parser would have to distinguish include /path/to/file (include directive) from include = foo (allow the user include to run the command foo).

But I think mostly the reason was to look like the C preprocessor, which the manual explicitly cites as inspiration.

Gilles 'SO- stop being evil'
  • 829,060
  • 1
    Nice catch and explanation, unfortunately those explanations are removed from the manuals (at least on Ubuntu, RedHat, OpenBSD and Solaris). – Lambert Nov 20 '15 at 07:11
  • 15
    The first time I analyzed my sudoers file I thought include is a directive and #include is a directive commented out. The rule of least surprise violated hard. In my opinion it's bad design. – Kamil Maciorowski Oct 13 '19 at 09:19
  • 1
    The comment should read "the # here does not mean a comment. Sorry." – gillytech Feb 19 '20 at 18:27
  • 4
    @KamilMaciorowski It's not bad. It's disastrous! I tried removing the hash tag before includedir, and I suddenly can't sudo any more. I was on an Ubuntu server, and had no other means to acquire root privilege. The result is a full reinstall (fortunately the broken OS was just a fresh install) – Aetherus Aug 27 '20 at 09:59
  • Ridiculous to use a hash (e.g. comment), regardless of the reason. – Josh M. Nov 30 '22 at 21:04
12

As a side note: I often use something like egrep -v '^#|^$' configfile to get the non-default/active configured settings, and this obviously does not work for the sudoers file.

This will work from sudo version 1.9.1 as support for @include and @includedir has been added to make it "less confusing".

Add support for @include and @includedir

These are less confusing than #include and #includedir when the hash character is also the comment character.

This commit also adds real parsing of include directives as opposed to the pure lexer approach used previously. As a result, it is now possible to include files with spaces by either using a double-quoted string or escaping the space characters with a backslash.

Use of #include and #includedir is retained for compatibility with versions prior to 1.9.1.

lx07
  • 221